In one respect, there is provided a system for training a neural network adapted for classifying one or more instruction sequences. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one processor provides operations including: training, based at least on training data, a machine learning model to detect one or more predetermined interdependencies amongst a plurality of tokens in the training data; and providing the trained machine learning model to enable classification of one or more instruction sequences. Related methods and articles of manufacture, including computer program products, are also provided.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A system for detecting malicious instruction sequences in a script which, when executed causes undesirable or harmful behavior to a computing device, the system comprising: at least one processor; and at least one memory including program code which when executed by the at least one processor provides operations comprising: tokenizing a plurality of historical instruction sequences each forming part of a different script to generate training data, wherein the instruction sequences are configured to be executed without compilation; training, based at least on the training data, at least one machine learning model to detect one or more predetermined interdependencies amongst a plurality of tokens in the training data, wherein at least one of the predetermined interdependencies indicates that the corresponding instructions sequence is malicious, the trained at least one machine learning model using encoding to vectorize instruction sequences so as to preserve similarities between tokens; and providing the trained at least one machine learning model to enable classification of one or more instruction sequences as either being malicious or benign based on the detected one or more predetermined interdependencies, the trained at least one machine learning model, when deployed, being used to prevent instruction sequences classified as malicious from being executed and causing undesirable or harmful behavior to the computing device; wherein: the trained at least one machine learning model comprises a recursive neural tensor network that assigns weights and tensors to nodes and connections of an abstract syntax tree representation of the instruction sequence such that a weight of a parent node p in the abstract syntax tree representation is based on: p = f ( [ c 1 c 2 ] V [ c 1 c 2 ] + W [ c 1 c 2 ] ) , wherein c 1 , and c 2 , correspond to scores assigned to children nodes in the abstract syntax tree representation, wherein tensor V and weight W connect the children nodes to the parent node, wherein a tensor V is defined as V∈R 2dx2dxd , and wherein d is a dimension of a vector representing a token; the abstract syntax tree representation of the instruction sequence preserves a structure of the instruction sequence including one or more rules for combining the tokens in the instruction sequence; the encoding maximizes an objective function J(θ) in order to generate v vector representations that preserve similarities between tokens: J ( θ ) = 1 T ∑ t = 1 T ∑ - c ≤ j ≤ c , j ≠ 0 log p ( w t + j | w t ) , wherein T is a total number of tokens in a training corpus, w t is a current token, c is a window size, w t+j represents a token in a window before or after w t , and p(w t+j |w t ) represents a probability of w t+j given w t , wherein p(w t+J |w t ) is: p ( w t + j | w t ) = exp ( v w t + j ′ T v w t ) ∑ w = 1 W exp ( v w ′ T v w t ) , wherein W is a number of words in a vocabulary in a plurality of training instruction sequences and there are n tokens (T 1 , T 2 . . . . T n ) and V w and v′ w are input and output vector representations of w; the trained at least one machine learning model comprises a second machine learning model that is different than the recursive neural tensor network that is configured to detect one or more predetermined interdependencies in one direction by at least processing the plurality of tokens in a forward order and to detect one or more other predetermined interdependencies in an opposite direction by at least processing the plurality of tokens in an opposite order.
2. The system of claim 1 further comprising: receiving the training data, wherein the training data comprises a sequence of instructions.
3. The system of claim 2 , wherein the sequence of instructions includes the plurality of tokens, and wherein at least one of the plurality of tokens comprises at least one character and/or binary digit.
4. The system of claim 1 , wherein the one or more predetermined interdependencies include a presence, in the training data, of a first token subsequent to at least a second token.
5. The system of claim 1 , wherein the one or more predetermined interdependencies indicate at least one function and/or behavior associated with the training data.
6. The system of claim 1 , wherein a first layer of the trained at least one machine learning model encodes the tokens using one or more encoding techniques and generates vector representations of the tokens to pass to a next layer of the trained at least one machine learning model.
7. The system of claim 6 , wherein the second machine learning model comprises a long short-term memory neural network.
8. The system of claim 7 , wherein the long short-term memory neural network comprises an embedding layer configured to generate vector representations of the plurality of tokens in the training data.
9. The system of claim 8 , wherein the embedding layer is configured to use one-hot encoding to generate the vector representations of the plurality of tokens in the training data.
10. The system of claim 8 , wherein the embedding layer is configured word 2 vec to generate the vector representations of the plurality of tokens in the training data.
11. The system of claim 7 , wherein the long short-term memory neural network comprises a first long short-term memory layer, and wherein the first long short-term memory layer comprises a memory cell having an input gate, an output gate, and a forget gate.
12. The system of claim 11 , wherein the first long short-term memory layer is configured to receive a first token from the plurality of tokens included in the training data.
13. The system of claim 12 , wherein a current hidden state of the first long short-term memory layer is determined based at least on the first token and a previous hidden state of the first long-short term memory layer, wherein the previous hidden state of the first long short-term memory layer corresponds to one or more tokens already processed by the long short-term memory neural network, and wherein an output of the first long-short term memory layer corresponds to the current hidden state of the first long short-term memory layer.
14. The system of claim 11 , wherein the long short-term memory neural network further comprises a second long short-term memory layer, wherein the first long short-term memory layer is configured to detect one or more predetermined interdependencies in one direction by at least processing the plurality of tokens in a forward order, and wherein the second long short-term memory layer is configured to detect one or more other predetermined interdependencies in an opposite direction by at least processing the plurality of tokens in an opposite order.
15. The system of claim 1 , wherein training the recursive neural tensor network includes processing an abstract syntax tree representation of the training data with the recursive neural tensor network.
16. The system of claim 15 , further comprising: generating, based at least on a structure of the plurality of tokens in the training data, the abstract syntax tree representation of the training data.
17. The system of claim 16 , wherein the abstract syntax tree representation of the training data includes a parent node corresponding to a first token from the plurality of tokens in the training data, and a leaf node corresponding to a second token from the plurality of tokens in the training data, and wherein the leaf node comprises a child node of the parent node.
18. The system of claim 17 , wherein the first token indicates a rule for combining the second token and a third token from the plurality of tokens in the training data.
19. The system of claim 18 , wherein the parent node is associated with a weight that is determined based at least on a first weight and a first tensor associated with the leaf node, and a second weight and a second tensor associated with another leaf node corresponding to the third token.
20. A computer-implemented method for detecting malicious instruction sequences in a script which, when executed causes undesirable or harmful behavior to a computing device, the method comprising: receiving a plurality of instructions sequences that are configured to be executed without compilation; classifying, using a plurality of machine learning models trained using training data, the instruction sequences as either being malicious or benign based on a detected one or more predetermined interdependencies, the training data comprising a plurality of tokenized historical instruction sequences each forming part of a different script to generate training data, at least one of the trained machine learning models using encoding to vectorize instruction sequences so as to preserve similarities between tokens; and preventing the instruction sequences classified as malicious from being executed thereby avoiding the instructions sequences from causing undesirable or harmful behavior to the computing device; wherein a first of the plurality of machine learning models comprises a recursive neural tensor network that assigns weights and tensors to nodes and connections of an abstract syntax tree representation of the instruction sequence such that a weight of a parent node p in the abstract syntax tree representation is based on: p = f ( [ c 1 c 2 ] V [ c 1 c 2 ] + W [ c 1 c 2 ] ) , wherein c 1 , and c 2 , correspond to scores assigned to children nodes in the abstract syntax tree representation, wherein tensor V and weight W connect the children nodes to the parent node, wherein a tensor V is defined as W∈R 2dx2dxd , and wherein d is a dimension of a vector representing a token: the abstract syntax tree representation of the instruction sequence preserves a structure of the instruction sequence including one or more rules for combining the tokens in the instruction sequence; the encoding maximizes an objective function j(θ) in order to generate v vector representations that preserve similarities between tokens: J ( θ ) = 1 T ∑ t = 1 T ∑ - c ≤ j ≤ c , j ≠ 0 log p ( w t + j | w t ) , wherein T is a total number of tokens in a training corpus, w t is a current token, c is a window size, w t+j represents a token in a window before or after w t , and p (w t+j |w t ) represents a probability of w t+j given w t , wherein p(w t+j |w t ) is: p ( w t + j | w t ) = exp ( v w t + j ′ T v w t ) ∑ w = 1 W exp ( v w ′ T v w t ) , wherein W is a number of words in a vocabulary in a plurality of training instruction sequences and there are n tokens (T 1 , T 2 ,, . . . . T n ) and V w and v′ w are input and output vector representations of w; wherein a second of the plurality of machine learning models comprises a long short-term memory neural network, wherein the long short-term memory neural network comprises an embedding layer configured to generate vector representations of the plurality of tokens in the training data, wherein the long short-term memory neural network comprises a first long short-term memory layer, wherein the first long short-term memory layer comprises a memory cell having an input gate, an output gate, and a forget gate, the first long short-term memory layer is configured to receive a first token from the plurality of tokens included in the training data, the long short-term memory neural network further comprises a second long short-term memory layer, wherein the first long short-term memory layer is configured to detect one or more predetermined interdependencies in one direction by at least processing the plurality of tokens in a forward order, and wherein the second long short-term memory layer is configured to detect one or more other predetermined interdependencies in an opposite direction by at least processing the plurality of tokens in an opposite order.
21. The method of claim 20 , wherein a first layer of one of the trained machine learning models encodes the tokens using word 2 vec encoding and generates vector representations of the tokens to pass to a next layer of such trained machine learning model, the word 2 vec encoding maximizes an objective function J(θ) in order to generate vector representations that preserve similarities between tokens.
22. A computer-implemented method for detecting malicious instruction sequences in a script which, when executed causes undesirable or harmful behavior to a computing device, the method comprising tokenizing a plurality of historical instruction sequences each forming part of a different script to generate training data, wherein the instruction sequences are configured to be executed without compilation; training, based at least on the training data, two machine learning models to detect one or more predetermined interdependencies amongst a plurality of tokens in the training data, wherein at least one of the predetermined interdependencies indicates that the corresponding instructions sequence is malicious, the two trained machine learning models using encoding to vectorize instruction sequences so as to preserve similarities between tokens; and providing the trained machine learning models to enable classification of one or more instruction sequences as either being malicious or benign based on the detected one or more predetermined interdependencies, the trained machine learning models, when deployed, being used to prevent instruction sequences classified as malicious from being executed and causing undesirable or harmful behavior to the computing device; wherein: a first of the trained machine learning models comprises a recursive neural tensor network that assigns weights and tensors to nodes and connections of an abstract syntax tree representation of the instruction sequence such that a weight of a parent node p in the abstract syntax tree representation is based on: p = f ( [ c 1 c 2 ] V [ c 1 c 2 ] + W [ c 1 c 2 ] ) , wherein c 1 , and c 2 , correspond to scores assigned to children nodes in the abstract syntax tree representation, wherein tensor V and weight W connect the children nodes to the parent node, wherein a tensor V is defined as V∈R 2dx2dxd , and wherein d is a dimension of a vector representing a token; the abstract syntax tree representation of the instruction sequence preserves a structure of the instruction sequence including one or more rules for combining the tokens in the instruction sequence; the encoding maximizes an objective function j(θ) in order to generate v vector representations that preserve similarities between tokens: J ( θ ) = 1 T ∑ t = 1 T ∑ - c ≤ j ≤ c , j ≠ 0 log p ( w t + j | w t ) , wherein T is a total number of tokens in a training corpus, w t is a current token, c is a window size, w t+j represents a token in a window before or after w t , and p(w t+j |w t ) represents a probability of w t+j given w t , wherein p(w t+J |w t ) is: p ( w t + j | w t ) = exp ( v w t + j ′ T v w t ) ∑ w = 1 W exp ( v w ′ T v w t ) , wherein W is a number of words in a vocabulary in a plurality of training instruction sequences and there are n tokens (T 1 , T 2 . . . . T n ) and V w and v′ w are input and output vector representations of w; a second of the trained machine learning models is configured to detect one or more predetermined interdependencies in one direction by at least processing the plurality of tokens in a forward order and to detect one or more other predetermined interdependencies in an opposite direction by at least processing the plurality of tokens in an opposite order.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
November 7, 2016
February 16, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.